Thwarting the Age Old Man in the Middle

Man in the middle attacks are morphing to keep pace with mobile, VoIP, browsers ... you name it and financial institutions are on alert.

Man in the middle (MITM) attacks are as old as transportation. In the Wild West, these attackers would be the stage coach bandits or the train robbers that rerouted riches to a new destination.

In the digital world, the attackers steal packets of information rather than chests of gold, but the modus operandi remains the same: Theft in transit.

However, the means of theft vary quite extensively.

"Traditional Layer-2 networks such as wired Ethernet and wireless 802.11 are plagued with man in the middle vulnerabilities and weaknesses, the attack taxonomy of which includes ARP cache redirection and poisoning, rogue DHCP servers, VLAN encapsulation within encapsulation, and network switch lookup table flooding to force unauthorized traffic broadcasting, explained Gregory Perry, CEO of GoVirtual Education.

"Source routing and fragmentation attacks can also be used against higher order Layer-3+ presentation and application protocols, in a similar vein to Layer-2 MITM attack methods."

The hackers' goal is not to infect your computer but to steal information; particularly to steal financial and identity information from individuals, but also to conduct corporate espionage against corporations.

"Malware and man in the browser (MITB) attacks -- a fast-growing variation of 'man in the middle' -- are of growing concern, particularly in online banking environments where they are causing the highest rates of financial fraud beyond phishing and identity theft," warned Tsion Gonen, corporate VP of Products and Marketing at SafeNet.

Modes of attack

While MITM attacks have been around for quite awhile, the newer tools are far more sophisticated and dangerous.

"This most recent wave of attack tools and their progeny can be used without authorization to intercept and redirect network traffic, perform surreptitious analysis and clandestine interception of confidential and privileged network communications, insert and/or remove information from live communication streams, extract plain text user accounts and passwords from applications and the transport network, intercept and decrypt applications protected with the secure sockets layer (SSL) encryption method, and intercept and decrypt network communications purportedly secured with IPSEC VPN tunnels," explained Perry.

These tools are do-it-yourself malicious tool kits that make creating malware easy even for a novice. However, they are not cheap. A ZeuS kit, for example, can go for $8000 or more -- although that seems to be the high end. Even so, the price is a steal considering ZeuS was used to heist £675,000 pounds from a UK bank alone in July, 2010.

The most used attack kits are MPack, Neosploit, ZeuS, Nukesploit P4ck and Phoenix, according to Symantec.

Spyeye is a ZeuS knockoff that is supposed to be available soon in a mashup with ZeuS code to make it even more efficient. ZeuS is considered by experts to be the most pervasive banking Trojan in the world. Recently, Zeus code was leaked and security professionals are bracing for a swell in criminal activity. Weyland-Yutabi Bot is a Mac OS X version of ZeuS and Spyeye.

ZeuS and its kin are especially adept at seamlessly inserting fraudulent fields into forms on legitimate websites, typically retail and online banking sites, tricking the user into providing information that is sent straight to criminals. However, these tools can be used in numerous ways to intercept traffic.

The latest ZeuS-like release is the BlackHole exploit kit that originally sold on darkware sites for $1500 for a year's license and $200 for a week. This month it was released for free. Its traffic detection script (TDS) is far more powerful than its predecessors but requires significant skills to use.

But even that list of horrors is not the entire scope of MITM attacks.

But wait ... there's more

ARP poisoning, for example, must be performed locally on the network. That makes it a bit trickier to accomplish but no less dangerous. The attacker ties his MAC address to the IP address of another host. Essentially, the attacker is eavesdropping and controlling the conversation or transaction between two parties. This is the most common attack found in unprotected WiFi networks such as public hotspots or home routers with only WEP settings.

"ARP poisoning is just one type of MITM attack; others include BGP MITM, rogue access points and man-in-the-browser. Of these, man-in-the-browser has proved to be the biggest threat," explained Terry Nelms, research director for cyber security firm Damballa.

MITB attacks are designed to slip around normal defensive plays such as traditional antivirus solutions and strong authentication technologies such as tokens or network access control (NAC) systems. Generally, MITB attacks are Trojans that infect a Web browser to modify transaction content or to insert additional transactions. The Trojan uses objects, extensions, user scripts and other common facilities designed to enhance browser activities. Thus, the Trojan is virtually undetectable by virus scanning software.

"It then captures all data processed by that browser including logon credentials and large quantities of sensitive corporate information, and transmits it back to the criminals. All this can be achieved without infecting a single computer within the physical boundaries of the enterprise or setting off alarms."

The threat increases with the use of mobile devices.

"These days, it's not uncommon for virtually every employee, contractor or partner to have enterprise access rights remotely and from the device of their choosing," said Klein. "It is this proliferation of unmanaged home and work laptops and personal PCs that often lead to malware snaking into secure enterprise networks."

Tools and techniques to thwart attacks

Defensive products such as XArp are helpful for small business and home networks. XArp reports changes in the IP to MAC mapping in order to identify ARP poisoning, the classic MITM attack. However, XArp is not much help with larger networks containing layered switches.